Description

ckeygen --changepass does not work and exhibits different failing behavior for unencrypted and encrypted keys.

Unencrypted keys are truncated to zero bytes because the key is opened and written to in one call, which throws a TypeError (no data is written).

Encrypted keys don't get destroyed, but the passphrase change also fails to complete due to an uncaught EncryptedKeyError. The user is never prompted for a passphrase and old/new passphrases provided on the command line are not used

Change passphrase issues fixed, tests added. Note that this patch includes cumulative changes from #5889 and #5890 as the issues are related.

However there are intermittent failures in this new twisted.conch.test.test_ckeygen.KeyGenTests.test_changePassPhrase, specifically the test for providing a bad passphrase for an encrypted key.

Single runs of the test usually pass, but continuously running it will eventually bomb with a variety of errors that seem to stem from pyasn1.codec.ber.decoder() returning 'weird stuff'. I don't know if this is a problem with pyasn1 or the data being provided to it.

Thanks for the great patch, and sorry for not giving you feedback earlier. There are still about 3 sys.exit calls not covered by tests, it'd be great if you could provide those as a patch against the branch I created. Everything else looked good.

By the time newkeydata is written it has already successfully survived roundtrip generation as a string from a Key object and converted to a valid Key object. More specifically, if newkeydata is an empty string (returned from toString), the subsequent call to fromString will raise BadKeyError and ckeygen will exit. This is covered by twisted.conch.test.test_keys.KeyTestCase.test_fromStringErrors

Here's a patch to address the review comments. I added a test to address the newkeydata concern (test_changePassphraseEmptyStringError), but I don't really think it's necessary.

therve: Thanks for picking this up and running with it (and thanks for the reviews tom.prince)!